Q

Can you tell me how I was attacked and suggest a remedy?

In the past, I have applied the patches to my NT4 IIS 4.0 system to address the Web folder traversal/unicode problems

(also CodeRed). If I look at my IIS logs, I see plenty of attempts to get to WinNTsystem32cmd.exe but all get turned down.

Last week, one of these attacks was sucessful. Looking in the log, it says that the request was (from memory) for:

/_vti_cnf/../../../../../../../winnt/system32/cmd.exe/c:dir
(I'm not sure if I have exactly the right number of /.. in there).

My system has InetPub on the D drive, and WinNT on the C drive, so I don't see how any number of /.. on the request could possible result in a sucessful GET.

Can you explain this behaviour, and suggest any remedy.
I'm curious to see the exact URL. If the actual request was being passed to an executable or a script, the server may have returned a success (HTTP 200) message, regardless of whether the attacker actually succeeded in executing CMD.EXE. For example, this request could return a success message because someprogram.exe was successfully passed the following parameters:

http://yoursite/cgi-bin/someprogram.exe?./../../../winnt/system32/cmd.ex e

However, no harm could be done unless someprogram.exe knew how to process the portion of the request after the command name--which may be the case, if the attacker was attempting to exploit a known vulnerability.

This was first published in December 2001

Dig deeper on Windows Operating System Management

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close